7

Background 01
to risk maturity
models

This chapter covers:

C
O

●● Concepts and definitions

PY
N

Capability not competency or capacity

R

●●
O

IG
T

Tailored risk maturity model meaning

H

●●
FO

Assessing risk management effectiveness meaning

R

●●
AT
R
EP

●● Origins of capability maturity models

ER
R

Risk maturity model offshoot

IA
O

●●
L
D

Misunderstandings:
U

●●
C

–– All models are born equal

TI
O

–– Global best practice

N

–– Progression without regression or stasis

–– Just a tool
●● Summary

Introduction
Megan, a quality manager at an NGO, had been given a formidable task
and felt lost. Using the information contained in this chapter, Megan
learnt to understand the way that risk maturity models evolved away from
the capability maturity models that lead to Six Sigma and other concepts in
8 Risk Maturity Models

quality management that she was more familiar with. She did not feel lost
anymore but understood the direction she needed to take with risk maturity.
She even had a few misconceptions cleared up along the way.
The purpose for this background chapter is to start by clarifying the basic
concepts and definitions behind risk maturity models and how they are con-
nected to the organization’s need to assess risk management effectiveness.
We trace how, since 1997, risk maturity models have evolved away from
their parent, the capability maturity model. We learn how risk maturity
models have expanded to cover multiple risk-related capabilities other than
just process. We clear up some common misunderstandings to clarify lan-
guage and to avoid things that should not deter organizations from ‘moving
up the risk maturity curve’. This enables us to understand the benefits and
potential in these models, which is covered in Chapter 2.
C

Concepts and definitions

O
PY
N

R
O

A risk maturity model is a capability maturity model adapted to the needs

IG
T

of risk management. It serves, amongst other benefits, as a powerful tool to

FO

assess risk management effectiveness. Understanding each of these terms

R

M
AT

one step at a time will help to compare, tailor, design and enhance your risk
R
EP

ER

maturity model in our later chapters.

R

IA
O

L
D

The meaning of capability maturity model

U
C
TI

The meaning of maturity

O
N

A dictionary definition for maturity and to be mature takes in several perspec-

tives that are a mosaic of several notions (COED, 2011). The economic,
industry or organization perspective defines it as developing to a point
where substantial expansion no longer takes place. A people or organisms
perspective defines it as becoming or being fully developed, full-grown,
having reached a stage of mental or emotional development, characteristic
of an adult, or to be grown-up. A process perspective means reaching the most
fully developed stage for that process. A thought and planning perspective
takes in being of a careful and thorough nature. A food and drink perspec-
tive means becoming ready for consumption, or in a ripe state. Finally, a bill,
insurance policy or security perspective involves becoming due for payment
having reached the end of its term.
The maturity concept relates to the current or future state, fact or period
of being mature. For organizations, this concept relates to the current or
 Background to Risk Maturity Models 9

future state, fact or period of evolving development, quality, sophistication

and effectiveness of attributes characteristic of that organization. Of course,
this is not necessarily age-dependent. For example, New York University
(NYU) reported recently that their ERM global programme and risk manage-
ment at their newest campus operation in China was more mature than
the parent operation founded in 1831.
In other words, maturity is a path or direction ascending from low to
more highly developed capability state or states. This ascending direction
implies increasing effectiveness over various time periods. However, pro-
gression states are always subject to periods of stasis (where progress stays
still or travels sideways) and regression (where progress goes backwards).

The meaning of maturity model

A model represents a simplified description of a system or process to assist
evaluation, calculations or predictions. It is typically repeatable and testable
C
O

over time.
PY

A maturity model uses a model of some sort to order its subject matter
N

R
O

content into maturity-related structures. A maturity model conceptualizes

IG
T

a systemic or organized way to follow a path of organization actions.

FO

It normally applies a mix of theory, practice, experience, wisdom, ‘perfec-

R

M
AT
R

tion’ assumptions or acculturation. It assumes that the working answer to

EP

ER

the common question ‘what is effective/what works?’ for an organization

R

lies in some form of progression over time, rather than a creation event
IA
O

L
D

at one point in time. It harks back to the adage ‘Rome was not built in
U

a day’.
C
TI

In process terms, a maturity model involves some type of repeatable con-

O

struct with content representing inputs and outputs leading to outcomes.

N

The model often takes the form of a ladder, continuum or set of structured
ascending levels or classes describing content that is evolving, developing or
adding more sophisticated qualities over time. The content subject area can
vary and may represent almost anything. It may be actions, objects or things
but it typically includes progressive ways of doing something, characteristics
of something, initiatives, practices and processes.
Maturity models are often dubbed ‘road maps’ for planning and imple-
mentation purposes. This signifies that maturity models attempt to transform
content that may be complex and difficult into a more simplified actionable
system to ‘road map’ improving, desired, anticipated, typical or logical
evolutionary paths for organization actions.
It is important to note that whilst maturity model evaluations may out-
line anticipated, typical, logical and desired evolutionary paths, these paths
10 Risk Maturity Models

need not necessarily lead to ‘perfection’ or ‘best practice’ for an organization

within any given time period. For example, a simple maturity model could
define a path of successively improved tools for doing maths to track
finances: using fingers, using an abacus, using an adding machine, using
a slide rule, using a computer, or using a hand-held calculator. Using a
hand-held calculator may be viewed as a more mature tool than a slide rule
but you may not be willing and able to use one if you are a hunter-gatherer
tribe in Highland New Guinea where one’s fingers may still be effective at
the lowest cost.
Our working definition, then, is that a maturity model is a simplified
system that ‘road maps’ improving, desired, anticipated, typical or logical
evolutionary paths of organization actions. This ascending direction implies
increasing effectiveness over time but need not necessarily lead to ‘perfection’
or ‘best practice’ for an organization (albeit subject to stasis and regression).
C

The meaning of capability maturity model

O
PY

Capabilities are the specific abilities, faculties or powers of an organization,

N

R
O

enabling it to collectively deliver organization objectives in the face of

IG
T

threats and to leverage opportunities. Capabilities may include unused and

FO

undeveloped or still-developing abilities that lend themselves to assessment

R

M
AT
R

as to how complete they are at any current point in time (as-is) or can be at
EP

ER

a targeted period of time (to-be).

R

For organizations, capabilities can be represented or evidenced by the

IA
O

L
D

interaction of many tangibles. These may change over time and may be
U

qualitatively and/or quantitatively measured. Capabilities include but are

C
TI

not limited to: processes, technologies, assets, people, decision-related

O

behaviours, practices, attitudes, competencies, disciplines and approaches

N

of an organization to achieve or exceed their objectives. Another way to

think of a capability is to think of a specific ability as a flow diagram, being
inputs-to-outputs-to-outcomes where the end outcome is the achievement of
specific organization objectives and strategies. For example, a sales training
programme (an input) can improve customer relationship management
(output) leading to organization growth targets being met (outcome). Put
more simply, the key challenge for an organization is: is it capable of ‘doing
the right things’ to achieve objectives? Those ‘right things’ are likely to
represent capabilities when correctly framed and prioritized.
Capability levels are indicators, positions or stages on a scale of quantity,
extent, rank or quality of organization capability. These are typically
achieved by visible and verifiable evidence for the implementation of each
capability and its attributes or subcomponents.
 Background to Risk Maturity Models 11

A capability maturity model at its simplest focuses a maturity model

on the maturation of one specific organization process capability. A typical
example is software engineering development where ‘maturity’ measures the
degree of formality and optimization of processes, typically ascending in
maturity levels from ad hoc practices to formally defined steps, to managed
result metrics, to active optimization of the processes.
The term capability maturity model started becoming popular in the
1980s within the US software engineering sector. The term developed with
several permutations over time within this sector. Early on, maturity was
seen more simply as ‘the state of being complete, perfect or ready’ (Simpson
and Weiner, 1989). By 2005 within the information systems (IS) discipline,
maturity was seen more pragmatically as ‘a measure to evaluate the cap­
abilities of an organization’ (Rosemann et al, 2005). By 2009, capability
maturity models were seen to be facilitating ‘evaluation by outlining antici-
pated, typical, logical and desired evolution paths’ (Röglinger, Pöppelbuß
C
O

and Becker, 2012). By 2011, it implied an evolutionary progress from an

PY

initial to a desired target or naturally existing end-stage (Marx, 2011).

N

R
O

IG

Modern-day researchers are still refining the capability maturity model.

T

This is yielding increasingly clearer descriptions of the model elements,

FO

classification schemes for models and construction methods. However,

R

M
AT
R

what commonly defines the shared components for all modern capability
EP

ER

maturity models is that they share, as a minimum: process maturity levels,

R

different process dimensions and a process assessment instrument (Rosemann

IA
O

L
D

et al, 2005).
U

We return to this point later, but what is important to note here is that
C
TI

the original software sector and its followers have a quite narrow definition
O
N

of a capability maturity model as modelling the maturity capabilities of a

specific organization process to deliver the defined objectives of that process
to its process owners. It focuses on a set of organizing capabilities for
a process rated to a maturity level or dimension (being the degree to which
processes are institutionalized) and the degree to which the organization
demonstrates process maturity. It does not focus on non-process capabilities.

Capability does not mean competency or capacity

Capability does not mean competency
Competency and capability are not the same. The two terms have become
confused by some over the years and are sometimes used as synonyms when
in fact this confusion should be avoided and the terms need to stay com-
pletely separate.
12 Risk Maturity Models

A competency is the underlying ability of an individual to perform a job

or task properly or excel at it, by combining a set of observable knowledge,
skill and attitude that often results in work behaviours. In order for a com-
petency to be considered a competency it must have all of these elements in
play, according to the IIA Global Internal Audit Competency Framework
2012. As basic definitions, knowledge is application at work of content
or material obtained through the use of experience, books or any other
medium. Skill, on the other hand, is the ability to execute a certain task.
Attitude demonstrates a person’s willingness and/or intent.
By this definition, a competency therefore is an applied knowledge that
a person is willing to use to excel at a certain task. Some prefer to think of
it in the form of a common sequence as in ‘apply knowledge then attitude
then skill equals task done’. Competency professionals test and assess for
competencies using observable indicators that may answer the following
types of questions: ‘Given a few minutes or hours sitting beside an employee
C
O

at work, would I be able to quantify (count) and qualify (rate) these behav-
PY

iours?’ For the sake of clarity, competencies should not be ascribed to

N

R
O

IG

an organization, albeit the similar language and techniques used may

T

confuse.
FO

Capability on the other hand, within our context here, involves the
R

M
AT
R

ability or power of an organization to collectively deliver organization

EP

ER

objectives. Capability is not confined to just individual people and people-

R

related knowledge, skills and behaviour (even to risk-informed decision

IA
O

L
D

making). It is escalated and widened to teams, units, divisions and projects

U

evoking an organization culture, technology, process, reputation and so

C
TI

forth. Capabilities represent what the organization is good at and known

O
N

for. These capabilities outlive the performance or behaviour of any individual

manager or single management system. For, say, the human relations/culture
domain, such capabilities might include innovation, speed, customer focus
and efficiency so that the capability of the organization reflects not just
the amalgam of speed, efficiency and so forth, but the deeper values of the
employees and the organization.
In our sense, then, a competency is a subset or part of one or more cap­
abilities but not the other way around. So if a capability maturity model
or risk maturity model contains many capabilities, one or a few of these may
relate to competencies. For example, one capability that may be designed
into your risk maturity model may be described as: ‘Appropriate competen-
cies of all risk owners to manage a risk management plan evidenced in part
by risk training, risk knowledge and appropriate application of risk-informed
management decision making.’
 Background to Risk Maturity Models 13

Capability does not mean capacity

Capacity and capability are not the same. This confusion should also be
avoided. Capacity commonly refers to the maximum amount that some-
thing can contain or produce (COED, 2011). For organizations, this is
typically expressed in terms of metrics for the use or build-up of resources
to a desired or measured level, optimum or maximum. For example, in a
capacity-planning context, it is a process for sizing the operational demand
for a technology or other asset over a variable range of operational needs.
In financial and actuarial circles, it can refer to material risk-bearing capacity
to financially measure the capacity of the organization to take a financial
‘hit’ on the books, or to invest in a new opportunity (implied by capital and
funding constraints). Like competency, capacity is best considered a subset
or part of one or more capabilities. For example, one capability may be
described as: ‘A flexible organization capacity to provide appropriate
C

resources to enable risk owners to effect risk action plans to which they
O
PY

are accountable and responsible.’

N

R
O

IG
T

The meaning of a tailored risk maturity model

H
FO

T
R

The meaning of risk maturity model

AT
R
EP

A risk maturity model is a capability maturity model specialized to an

ER
R

expanded set of risk management system capabilities. It is expanded because

IA
O

it is not just concerned with process maturity, like a standard capability

L
D
U

maturity model, but a wider range of organization capabilities, as we pre­

C
TI

viously noted and will continue to note throughout this book.

O

System commonly means a set of things working together as a mecha-

N

nism or interconnecting network at the organization level. This should not

be confused with an information technology system (albeit a risk manage-
ment system may include risk management information systems).
Risk is the ‘effect of uncertainty on [organization] objectives where the
effect is a deviation from the expected – positive and/or negative’ (ISO,
2009b: 1.1). Risk management means the coordinated activities that direct
and control an organization in pursuit of its objectives with regard to risk,
according to the ISO 31000:2009 risk management standard (ISO, 2009a)
and its associated vocabulary guide (ISO, 2009b: 2.1). Risk management for
our purposes is synonymous with such terms as enterprise risk management
(ERM), integrated risk management or strategic risk management.
14 Risk Maturity Models

Risk management for ISO 31000 involves the architecture (principles,

framework and process) for managing risk effectively. In other words, the
risk principles, risk management framework (policies, mandate, standards,
the organization resources, systems, culture and so forth to enable it), a
common risk management process and their desired objectives or outputs-
to-outcomes. These are ideally integrated or aligned by the different operat-
ing units and functions to existing management systems. A risk management
plan refers to a scheme within the risk management framework specifying
the approach, the management components and resources to be applied to
the management of risk.
All these things may be considered risk management capabilities suitable
for tracking with a risk maturity model. Whilst ISO 31000 does not use the
collective term risk management system, this is common parlance and is
promoted by King III (2009), the leading corporate governance standard.
Therefore, we will use it for the purposes of this book as a useful and accurate
C
O

term of convenience. We take the elements cited by what ISO 31000 calls
PY

architecture as representing desired capabilities within a risk management

N

R
O

IG

system and suitable content for a risk maturity model.

T

Risk maturity model is a shortened term that is sometimes reduced further

FO

to risk maturity (but assumed to be tracked by a risk maturity model).

R

M
AT
R

The more correct full term should be: a risk management system capability
EP

ER

maturity model. That is, a maturity model focusing on the capabilities

R

characterizing the risk management system, being the interconnected

IA
O

L
D

mechanisms organizing the right organization capabilities to deliver risk

U

management effectiveness. However, this is cumbersome parlance for all,

C
TI

so the popular term for convenience of use is risk maturity model.

O
N

Risk maturity must not be confused with the ‘maturity’ of a risk, as in the
maturation or realization of specific risks per se within the risk assessment
process. For example, it should not be confused with risks moving from
a watch-list status to a ‘closed/archived/treated’ status; or, moving from
the so-called ‘unknown-unknown risk’ to a ‘known-unknown’ status.
Risk management maturity is cited by ISO 31000:2009 in strategic terms.
It states that organizations should develop and implement strategies to
improve their risk management maturity alongside all other aspects of their
organization (Principle k). These strategies involve the planning and deploy-
ment of deliberately coordinated and resourced initiatives to improve
organization capabilities specific to the risk management system – including
its outcomes – in order to achieve maturity targets aligned to organization
objectives.
 Background to Risk Maturity Models 15

The meaning of a tailored risk maturity model

A tailored risk maturity model means it represents a best fit or optimal fit
to your unique organization. Following the ISO 31000 approach, ‘tailoring’
your risk maturity model means it becomes bespoke and as customized as
possible to three elements:

●● your organization objectives;

●● the changing internal, and the internal and external, context in which
it operates;
●● the changing risk profile it adopts.

For risk maturity models, tailoring is driven primarily by choice and

quality of the capabilities content and scales, and influenced by external and
internal benchmarking, model design of components, and other techniques
and methods.
C
O

In summary, a risk maturity model is a capability maturity model specialized

PY

to an expanded set of risk management system capabilities. It represents

N

R
O

a diagnostic tool using levels of maturity to track gap-improvement of

IG
T

the right organization capabilities designed to deliver risk management

FO

effectiveness. More correctly: a risk management system capability maturity

R

M
AT
R

model.
EP

ER
R

IA

The meaning of assessing risk management

O

L
D

effectiveness
U
C
TI

Assessing is to evaluate and/or to use a diagnostic. The aim is to arrive at

O
N

an estimate of a nature, value and quality.

Effectiveness is to produce a desired or intended result (COED, 2011).
For organizations, this equates to a focus or mantra on ‘doing the right
things’ such as planning and delivering the right organization objectives and
the capabilities needed to do so. This may be applied for the risk maturity
domain by simply substituting the word ‘things’ with the more specific word
‘capabilities’ – as in ‘doing the right capabilities’.
16 Risk Maturity Models

Practitioner Chris separates effective from efficient systems

Chris’s new boss came from an investment bank. The boss is fond of
expensive computer risk software and high-end financial risk and
quantification techniques and he introduces them to the construction firm.
These produce some novel and faster risk reports that seem to initially
improve the risk analysis and reporting steps in the risk process. However,
there is a lot of passive resistance from most of the line managers who are
not ready for such technology at this ‘small/lean/mean’ outfit. This passive
resistance has a GIGO-effect (garbage-in-garbage-out). This means the
overall rate of risk treatment effectiveness fell rather than rose. Chris feels
that the new boss has confused efficiency with effectiveness, to the
detriment of the latter.
C
O
PY
N

Assessing risk management effectiveness is to evaluate ‘doing the right

R
O

IG

things’ in terms of the risk management system capabilities that include the
T

H
FO

desired risk management outputs-to-outcomes. For our purposes, this means

T
R

evaluating the capability improvement gaps between the current ‘as-is’ state
AT
R

and targeted future ‘to-be’ states of the risk management system over
EP

ER

planned budget periods. ‘Doing the right capabilities’ must be able to be

R

IA

evidenced and reasonably assured for their adequacy and effectiveness (as
O

L
D

per ISO Guide 73: 3.8.2.6; ISO, 2009b). This is opposed to ‘doing things
U
C

right’, which defines efficiency, not effectiveness. Risk management ineffec-

TI

tiveness (ie the risk of ineffective risk management) is arguably the greatest
O
N

risk of all to organization success.

Assessing risk management effectiveness from an internal audit/board
perspective typically means an objective written assessment of the effectiveness
of the system of risk management and the internal control framework to the
board (King III, 2009). Assessment typically includes monitoring, review and
assessment techniques applied towards the effectiveness of the risk management
system, its issues and constraints, and the need for improvements. Results
should be shared with executive management and board.

Origins of capability maturity models

It is difficult to appreciate the power of risk maturity models without under-
standing their history and provenance (a record of ownership of where a
 Background to Risk Maturity Models 17

work came from to establish trust). We defined the risk maturity model as
an evolutionary offshoot of the capability maturity model (often dubbed
CMM) that is adapted to the specific domain of risk management cap­
abilities. Here, we quickly trace the origin of the risk maturity model since
1997, starting with its parent, the capability maturity model. In this way,
we appreciate the history of the risk maturity model as a proven but still
evolving tool that is still underutilized around the world and yet to release
its full potential in widespread global practice from developed to developing
countries.
We also appreciate that we can expect cross-fertilization to the enterprise
risk management (ERM) umbrella domain to continue into the future.
Therefore, if we want to design and improve our risk maturity models we
need to understand where to look. ERM practitioners will continue to
draw from new capability maturity models as the latter will continue to
represent a sister body of knowledge for inspiration and for potential
C
O

submodels feeding their own ERM-level models.

PY
N

R
O

IG

Capability maturity models (CMMs)

T

H
FO

Capability maturity models began as a process maturity framework with

R

M
AT
R

origins in 1920s industrial quality control. The first pioneering work to

EP

ER

assess how managers could improve a single process originated with Walter
R

Stewart at Western Electric in 1924 where he became known as the father of

IA
O

L
D

statistical quality control. The second pioneer was Watts S. Humphrey and
U

his 1989 book Managing the Software Process. The model was focused in
C
TI

this 1980s era in evaluating the ability of government and US Department

O
N

of Defence military contractors to perform software projects. It was only

concerned with the software engineering process.
The capability maturity model has diversified since the 1990s into an
internationally recognized model with broader domain applications than
software engineering. Over time, the theory behind the capability maturity
model has inspired other like-models. It has been applied to most corporate
functions and a variety of large and small organizations across many industries/
sectors. These include: software development, systems engineering, project
management, defence, business development and human resources.

SEI-style capability maturity model

The work by the earliest pioneers of the capability maturity model (CMM)
were further developed at Carnegie Mellon University in the late 1980s.
18 Risk Maturity Models

This still forms the foundation of most maturity models today. By 1991, the
Carnegie Mellon University Software Engineering Institute (SEI) released
the Software Capability Maturity Model (commonly referred to as the ‘SEI
CMM’).
The SEI model increments process development from one level to the next
along a theoretical continuum of process maturity. It is process-centric and
the focus is on single-process capability improvement. The predictability,
effectiveness and control of an organization’s software processes are believed
to improve as the organization moves up five maturity levels. Within each of
these maturity levels are key process areas, which characterize that level.
Skipping levels is regarded as either not allowed or not feasible.
A typical SEI CMM has five Likert scale levels with titles and short
descriptors:

●● Initial (Chaotic) – level 1 title describes undocumented or dynamically

C

changing processes, tending to be driven in an ad hoc, uncontrolled

O
PY

and reactive manner by users or events.

N

R
O

Repeatable – level 2 describes some repeatable processes with some

IG

●●
T

consistent results but process discipline is unlikely to be rigorous,

H
FO

especially under stress.

R

M
AT
R

●● Defined – level 3 describes sets of defined and documented standard

EP

ER

processes that are established, provide consistent process

R

performance and are subject to some degree of improvement over

IA
O

L
D

time.
U
C

●● Managed – level 4 refers to the use of process metrics and other ways
TI

to manage, adjust and adapt processes to ensure effective control

O
N

without measurable losses of quality or deviations from

specifications.
●● Optimizing – level 5 refers to a focus on continually improving
process performance through both incremental and innovative
technological changes/improvements.

SEI capability maturity model components

As the SEI style of capability maturity models developed over time, the number
of hierarchical components grew:

●● Maturity level components are organized on a five-level process

maturity continuum where the uppermost (fifth) level is a notional
ideal state where processes would be systematically managed by
 Background to Risk Maturity Models 19

a combination of process optimization and continuous process

improvement.
●● Key process areas appear under each level; these identify a cluster of
related activities that, when performed together, achieve a set of goals
considered important.
●● Goals for each key process area summarize the states that must
exist for that key process area to have been implemented in
an effective and lasting way. The extent to which the goals
have been accomplished is an indicator of how much capability the
organization has established at that maturity level. The goals signify
the scope, boundaries and intent of each key process area. The goals
are of two types, either specific goals leading to specific practices, or
generic goals sharing common features (see below) and leading to
general practices.
C
O

●● Common features include practices that implement and

PY

institutionalize a key process area. There are five types of common

N

R
O

features: commitment to perform, ability to perform, activities

IG
T

performed, measurement and analysis, and verifying implementation.

H
FO

Key practices are the key practices to describe the elements of

R

●●
AT
R

infrastructure and practice that contribute most effectively to the

EP

ER

implementation and institutionalization of the area.

R

IA
O

L
D

SEI CMM competition, constraints and growth

U
C
TI

The major competitor to the SEI Capability Maturity Model (CMM) is

O
N

ISO/IEC 33001:2015 Information technology – Process assessment –

Concepts and terminology. This replaced its predecessor the ISO/IEC 15504
Capability Maturity Model, as of March 2015. ISO/IEC 33001 supporters
prefer their model for a number of reasons. Supporters claim it is publicly
accessible through national standards bodies (rather than through one
‘expensive’ private source), that it therefore has more international support
through these national standards bodies and that it and ISO/IEC 15504
have proven themselves through over 4,000 assessments conducted to date
over a range of industries. These industries include automotive, space and
medical systems with industry-relevant variants.
Capability maturity models have constraints. We have already seen
how they have a maturity-of-process bias. Further, this maturity-of-process
methodology is not mandatory for commercial success. This is demon­
strated by some of the better-known software development firms, including
20 Risk Maturity Models

‘shrink-wrap’ companies (also called commercial-off-the-shelf or ‘COTS’

firms or software package firms). Such firms have included Claris, Apple,
Symantec, Microsoft and Lotus. Critics claim that these companies have
successfully developed their software, without having considered or managed
their processes as a capability maturity model. Moreover, if they had done
so, they would be better rated as a typical SEI CMM lower level 1 or 2
(as described above).
Despite their limitations, capability maturity models have evolved since
the early 1980s and have successfully branched out. The original aim of
CMM to improve existing software development processes has now been
applied to many other business processes, including business development,
supply chain, human resource, work culture, project management, business
intelligence, information security, corporate reputation, health sector manage-
ment, business resiliency and record keeping. CMMs are sector-extensive
across the world, especially in government offices, commerce, industry and
C
O

software development organizations. They have even been combined with

PY

other methodologies such as the ISO 9001 standard, extreme programming

N

R
O

IG

(XP) computer programming methodology and Six Sigma (as we saw with
T

our practitioner Megan).

FO

T
R

M
AT
R

Risk maturity model offshoot to capability

EP

ER

maturity model
R

IA
O

L
D

The risk maturity model offshoot

U
C

The SEI-style of capability maturity model has been adapted to the risk
TI
O

management discipline since 1997 with risk maturity model offshoots.

N

Sometimes the same SEI-style labels and descriptors as we outlined earlier

have been slavishly copied by the risk management discipline with little
thought to tailoring.
As we mentioned earlier, the risk management discipline and the remit for
risk maturity models is wider than just a set of processes. A risk maturity
model is a set of structured levels that integrate a mix of multiple capabili-
ties. These capabilities do not just involve processes but include how the
behaviours, practices, attitudes, competencies, disciplines and approaches of
an organization interact to produce organization outcomes. These represent
a risk management system. There are many components that make up a set
of organization capabilities, far more than just the sort of processes most
people think when they see a process map on a process chart, or the risk
process diagram in ISO 31000:2009.
 Background to Risk Maturity Models 21

Practitioner Alan looks beyond a single capability

model approach to multiple capabilities

Alan understands that the utility company he works for is very process-
driven and relies on information technology (IT). For this reason, he had
checked out both the ISO/IEC 33001:2015 Information technology – Process
assessment standard and the SEI capability maturity models as they too
are quite process-driven. He thought they might function well as reference
material to independently assure by an annual audit the existing risk
maturity model that the ERM manager was stewarding. He decides that his
IT people might be interested in a capability maturity model for assessing
their own process effectiveness as an IT function. But he also feels that
the ERM manager is quite correct in saying that a capability maturity model
is too narrow for ERM purposes and that the maturity levels are not a great
C
O

fit to their utility. Alan also found support for the need for a multi-capability
PY

risk maturity model when he read McKinsey & Co for more guidance
N

R
O

(Pergler, 2012).
IG
T

H
FO

T
R

M
AT
R
EP

Risk management maturity evolves from a process bias

ER
R

to capabilities
IA
O

L
D

Alan’s preferred solution goes to the need for a multiplicity of capabilities to

U
C

make up a risk management system. Alan found an interesting article from

TI

McKinsey & Co with a particular take on the evolution of modern risk

O
N

management that Alan did not agree with (Pergler, 2012).

McKinsey sees modern risk management origins in a set of disciplines, as
well as processes, cradled within financial institutions since the 1980s. There
was some cross-industry transfer from financial institutions to the non-
financial sector. This was beneficial but differences between the two sectors
developed in terms of expectations, challenges, language and many other
capabilities. The non-financial sector evolved from an initial health and
safety focus – especially in heavy industrial and natural-resource companies
– and developed a ‘risk register-bias’. McKinsey believes that this capability
bias meant that the non-financial sector ‘routinely miss or woefully miss-
estimate the risks that end up really mattering to the achievement of their
overall objectives or even fundamental health’. McKinsey goes on to say
that ‘these differences in maturity are neither accidental, nor irrelevant.
Rather they reflect underlying differences in drivers of value creation,
22 Risk Maturity Models

including assets and exposures, but also strategic capabilities; risk manage-
ment can be one of these.’
McKinsey sees ERM as a journey for all business sectors over several
stages of a maturity spectrum. As of 2012, McKinsey believed that certain
sectors could be attributed to certain ascending maturity stages:

●● The average retail and telecommunication corporates represented

an intermediate Stage 0 to 1.
●● Financial institutions such as smaller regional banks represented
Stage 1.
●● Strong natural resources exposures and important technical/research
and development (R&D) risk sectors such as pharmaceutical
corporates represented an intermediate Stage 1 to 2.
●● The average financial institutions represented Stage 2.
Energy corporates (using increasingly mature liquid commodity
C

●●
O

markets), conglomerates and asset managers/investors (juggling

PY

diverse portfolios of assets) all seeking competitive advantage in a

N

R
O

IG

crowded competitive arena represented an intermediate Stage 2 to 3.

T

H
FO

●● Only a handful of investment banks represented Stage 3.

T
R

Why McKinsey avoided the simpler maturity stage numbering from 1 to 4

AT
R
EP

or 5 is not known. The article (Pergler, 2012) does highlight our key point
ER

as to how far risk maturity models moved to expand from one to multiple
R

IA
O

capabilities. For McKinsey, then, key maturity-rating criteria are not just
L
D
U

‘processes’ but a diverse range of organization capabilities (such as asset

C

management, competitive intensity and strategy, including risk management

TI
O

but also touching on risk registers, expectations, challenges and language).

N

Practitioner Alan feels risk

management predates the 1980s

Practitioner Alan has one correction to the McKinsey view. He feels that
the risk management discipline predates the adoption by financial institutions
in the 1980s, not the other way around. Risk management draws on roots in
the legal, insurance, project management as well as health and safety
disciplines that predate the 1980s and were not sector specific. Alan had
learnt a lot from an older mentor at his utility who, as an internal auditor,
had lots of experience assuring these specialty risk disciplines that were
important to utilities (and energy/oil and gas sectors) from the 1960s and 1970s.
 Background to Risk Maturity Models 23

F i g u r e 1.1   Value contributed by evolving risk management

* Note that ‘value contributed’ means the contribution of risk

management to establishing sustainable competitive advantage, gy
improving business performance and optimizing costs. t rate
S
Enterprise-wide
ent Risk Management
em
ag
VALUE CONTRIBUTED*

n
Ma
Business Risk
s Management
t ion
era
Op • Focus: Business risk
• Linkage to opportunity
Risk is crystalline
Management • Scope: Align strategy,
l processes, people,
cia • Focus: Financial and
an • Focus: Business risk technology and
Fin hazard risks and • Linkage to opportunity
C

knowledge on an
internal controls
O

is clearer enterprise-wide basis

• Linkage to opportunity • Scope: Business
PY

understated managers accountable

N

• Scope: Treasury,
R

(risk-by-risk)
O

insurance and
IG
T

operations involved
H
FO

RISK MANAGEMENT PERSPECTIVE

R

M
AT
R

Source: Reprinted with the kind permission of Dr Steven Halliday

EP

ER
R

IA

One way of visualizing such evolution is to look at how risk management

O

L
D

has value-added to the organization over time. Figure 1.1 (Halliday, 2012)
U
C

summarizes this value-add evolution, which was not solely dependent on

TI

the financial sector.

O
N

Early risk management maturity model trends

The first risk management maturity model offshoot from an already-evolving
line of capability maturity models came in 1997 with a groundbreaking
paper from David Hillson (Hillson, 1997). Hillson dubbed his offshoot a
‘risk maturity model’ (or ‘RMM’). He aggregated organization-level risk
management maturity capabilities into four domains or themes: culture,
process, experience and application. This represented a watershed for the
risk discipline.
After an initial five-year hiatus, the Hillson risk maturity model of 1997
has been followed by a steady release of risk management-related models
to the present day. The initial trend was for the release of various risk
management subdomains such as project risk management. Over time, other
content was blended into risk maturity models. Content often benefited
24 Risk Maturity Models

from cross-fertilization from related disciplines. The European Foundation

for Quality Management (EFQM) excellence programme and approaches is
one notable example.
Later variations added domain-specific risk maturity models. The most
notable of these was the enterprise risk management (ERM) domain, which
has flourished. ERM risk maturity models were tailored to various industries
or sectors and geography, such as those specific to Canadian national health
services and even to Dutch municipalities. Some prominent dates and early
risk maturity models included a mix of ERM and sub-ERM domains as
follows:

●● 2002 saw the release of a project risk-focused model called risk

management maturity models (RMMM) by INCOSE.
●● 2003 saw the release of a business continuity-focused model called
BCCM® and a HR risk-culture-focused model by HRDC.
C
O

●● 2006 saw an enterprise risk management (ERM)-focused model

PY

(Chapman, 2006) and a sophisticated project-focused model called

N

R
O

IG

the project risk maturity model (Hopkinson, 2011).

T

H
FO

This rich evolutionary ‘bush’ of risk maturity models is represented in

R

Figure 1.2. This summarizes how capability maturity models have continued
AT
R
EP

ER
R

IA
O

F i g u r e 1.2   Maturity model evolution

L
D
U
C
TI

Maturity Model Evolution

O
N

Capability Maturity Models Risk Maturity Models

1988 Humphrey 1997 ERM Hillson

1991 SEI CMM 2002 Projects. HR and Culture.

Others 2003 Business Continuity

2005 IT

2006 Info Security

2008 ERM multiplies

2010 Health. Public Sector.

2014 Supply Chain

Others
 Background to Risk Maturity Models 25

evolving whilst risk maturity models branched off in 1997 into ERM and
ever-more risk-specialized offshoots to the modern day.
As in nature and biology, such evolutionary diversity is a most beneficial
aid for maturity modellers wanting to tailor their own risk maturity model
to their organization’s internal and external context. Continuous improve-
ment drives evolving risk maturity models akin to how biological evolution-
ary forces such as natural selection do the same for speciation. The diversity
in model approaches provides a rich range of source material for tailoring.
These sources continue to grow.
Now that we have some clearer vocabulary, let us turn our attention to
some important misunderstandings that need to be clarified before closing
this background chapter.

Misunderstanding 1: all models are

C
O

born equal
PY
N

R
O

IG
T

All risk maturity models are not born equal. As in nature and biology,
H
FO

individuals of the same species may appear superficially equal and/or the
T
R

same but their DNA and behaviour differ. If the highest purpose for a risk
AT
R

maturity model is to be tailored or fit-for-purpose to the unique organization,

EP

ER

then logic declares that at least some or a number of models are never going
R

IA
O

to fit every organization. Some models will naturally be a better-fit-for-purpose

L
D

for the unique organization than others.

U
C

From an organizational macro-perspective, all risk maturity models are

TI

valuable for at least three reasons. First, starting your risk management
O
N

system somewhere and building on it over time is far better than doing
nothing at all and especially so for early or low maturity organizations.
Second, parts or attributes from any risk maturity model – even for one
capability or a level description – can be put to use or influence the tailoring
of your own model. Some part or whole of any model can be tailored and
adapted to suit your organization. As many models are conceptual in nature,
this lends itself to tailoring. Third, this inclusive attitude to content is a
positive. It helps drive continuous improvement for the risk discipline/
profession and for the common good.
In the end, you will find that you can tailor parts or the whole of some risk
maturity models far more appropriately to your organization than others.
Finding the right mix for you and your organization is the trick.
26 Risk Maturity Models

Misunderstanding 2: global best practice

There is a common search for what is termed global best practice in ERM
and risk maturity models. Unfortunately, there is no such thing – at the time
of writing – as an internationally agreed absolute or ideal. There are models
that are ‘good’ or ‘better’ relative to each other in terms of tailoring and
those that are better fit-for-purpose for a specific organization than others.
However, there is no current ‘best’ model in either absolute quality or global
reach terms, nor is one a mandatory requirement for risk maturity model-
ling. There is no ‘silver bullet’ model or one-size-fits-all.
What does best mean anyway – best at what, compared to who? Why
do you need a model? Who is going to decide on it? Where will it apply?
How can you prove it to senior stakeholders? Those brave risk management
consultants who may have gone down the mistaken path of initially agree-
C

ing to work to a client brief clamouring for ‘best practice’ have often rued
O

that agreement. We need to be cautious if we recall what has happened to all

PY
N

those Tom Peters lauded companies of the 1980s. We must not forget that
R
O

IG
T

Enron was held up by McKinsey & Co and others as ‘global best practice’
H
FO

before it crashed. For a sobering Enron post-analysis do not go to Wall Street,

T
R

read Malcolm Gladwell’s account (Gladwell, 2009). Gladwell summarizes

AT
R

that the McKinsey-led ‘very best and brightest talent’ culture mindset that
EP

ER

was the vogue at the turn of the century led to the Enron collapse in a mire
R

IA
O

of so-called brilliant mathematical models, twisted special-purpose vehicles

L
D

and complex accounting.

U
C

The ‘global best’ misconception probably stems from how relatively

TI

naive and immature the enterprise risk management discipline is – ERM as

O
N

a discipline is still feeling its way, is somewhat naive and playing ‘catch-up’
to far more mature professions such as the internal audit, project manage-
ment or insurance professions. These related professions enjoy well-established
tools, techniques, trade media sponsorship, deep coffers from large profes-
sional memberships and bodies of knowledge that spell out their capabilities
to boards and executive or senior management (CxOs). The Project
Management Institute’s ‘Project Management – Body Of Knowledge’
(PM-BOK®) is one example of this. Other professions understand and have
a common agreement as to the set of core capabilities they bring to the table.
As yet, the risk ‘profession’ does not.
The claim to being ‘global’ is overused and needs to be used very
carefully. Standards that are ISO-designated through accredited national
bodies may legitimately claim to be ‘global’. However, most other so-called
 Background to Risk Maturity Models 27

frameworks or voluntary reference codes are not global. No matter how

good they are – or they can be – they are national or at best semi-regional
and usually support narrow commercial interests.
If a tag or label is required then global best practice may be attractive but
it is unnecessary. The risk profession should be confident using a range of
quite adequate terms as alternatives. Striving towards global best practice
reflects the true reality and a better way to approach the matter. World-class
is debatable but acceptable, as it does not imply an absolute and allows for
more than one class or level. Industry best practice is a popular term that
overcomes the challenges by the term global best practice and can be refer-
enced by external evidence by researchers and organizations sharing data
and approaches. Global practice, good practice, better practice, appropriate
practice, relevant practice, recommended practice (by leading authorities
and practitioners), leading practice or best-fit–to-standards are all acceptable.
These can be substantiated by transparent criteria (ie be evidence-based)
C
O

that garners stakeholder buy-in and they can be sustained over time.
PY
N

R
O

IG
T

Misunderstanding 3: progression without

H
FO

regression or stasis
R

M
AT
R
EP

ER

The natural science process of evolution is not one of continuous smooth

R

IA
O

progress. Rather, it involves fits and starts and adaptations with readaptations
L
D

and shorter or longer periods of stasis depending on the external environment

U
C

and competition. Think of the various species such as whales that evolved
TI

from land to pond to sea then back again over time. The evolution lesson is
O
N

that progression-regression-stasis are inseparable processes and not a smooth

transition.
This lesson applies equally to the risk maturity domain. Organizations
rarely progress smoothly or with any ‘big bang’. Progressing from a lower
phase of development or sophistication (maturity) to a higher phase rarely
goes perfectly or evenly across all fronts. For some organizations the cost in
investment, time and management distraction means that uniform progres-
sion on all capability fronts without stasis – or occasional regression – is
neither an option, nor reality, nor even perhaps an ideal target.
In fact, an organization getting on in age probably leads to various forms
of natural stasis – even fits and starts. Moreover, changes in environment
and competition sometimes lead to organization regression. BP, for example,
used to rate itself right up there on the maturity curve with the best.
28 Risk Maturity Models

Practitioner Megan reflects on BP and regression

Megan was interested in learning from the largest accidental marine oil
spill in history, the BP Gulf of Mexico 2010 disaster, when the Deepwater
Horizon offshore oil platform exploded. It caused 11 fatalities, reputation
loss, a share price cliff-fall and at least US $65 billion in damages and
reparations. She guessed that the oil giant rated its risk maturity level
very highly at close to 90% Level Index after 100+ years of safety and risk
management operations. Megan was shocked to discover when she
looked into the causes that the BP subcontractor involved in the blowout
had a nonsense risk register. This register was such a bad ‘copy-and-paste
check-the-box job’ that it registered icebergs and whale risks in the Gulf of
Mexico! Megan doubted that the cause could be swept under the carpet
as just individual human error and oversight by a few individuals intent on
C
O

taking safety and quality shortcuts. She is convinced this was not just one
PY

capability deficiency in, say, supplier management. She feels that the CEO
N

R
O

comment that led to his forced resignation (‘You know, I’d like my life back’)
IG
T

corroborates her conclusion that Deepwater Horizon represented a very

H
FO

costly form of risk maturity regression when a highly risk mature organization’s
R

culture becomes too arrogant and complacent from the top-down and at
AT
R
EP

any point in-between. She understands now that risk maturity is not only
ER
R

about managing progression, but regression and stasis as well.

IA
O

L
D
U
C
TI
O
N

C a s e s t u dy   R
 egression case study: INFRACO,
infrastructure firm

A real infrastructure company (name withheld, dubbed INFRACO) in the Middle

East was newly established with a small permanent organization of up to 650 staff.
In turn, it had to manage a multi-billion infrastructure mega-project via 1,500
external programme management company (PMC) staff. The PMC in turn,
managed up to 16,000 workers. The project ran for six years over a large footprint
size (equal to a quarter of Rhode Island in the United States or half of Singapore
island). In effect, a two-track risk maturity developed: the new CEO ramped up
the project and project-risk management maturity on the mega-project to a level
he believed to be ‘world class’. However, the associated resource constraints,
 Background to Risk Maturity Models 29

executive management focus on the mega-project and cultural barriers between

‘project’ and ‘corporate’ staff meant that INFRACO itself remained way back
on the risk maturity curve. When the mega-project successfully opened, the
CEO moved on, the skilled ex-pat workforce were retrenched to improve the
‘nationalization quota percentage’ and both the PMC risk function and the ERM
corporate risk function were demobilized. The organization, which had improved
its overall risk maturity index from 6% to 40% over two years, had on rerating,
regressed back to 32% with significant shortfalls in capability modules for
managing the risk management process, treatment, monitoring, culture and
embedding, and communication. The overall outcome was that the board and
senior management had reduced confidence in the remaining organization’s
ability to manage risk effectively and needed to reinvest more money and at least
two years of ERM programme work to recover to their previous level. Three years
later, a brand new internal audit team is trying to restart an ERM programme for
the third time in the organization’s short nine-year history by ‘incubating’ it without
C
O

dedicated ERM officers. See Chapter 5 on Designing a tailored risk maturity model,
PY

Figure 5.12 – INFRACO Benchmarker™ bar-chart sample.

N

R
O

IG
T

H
FO

T
R

M
AT
R

Regression is uncommon, at least in each corporate memory. When it may

EP

ER

occur, the risk function must be alert and warn in advance of its potential or
R

IA
O

advent. Typical lead indicators or triggers for regression include:

L
D
U

major change in organization operations;

C

●●
TI

merger or acquisition;
O

●●
N

●● new senior management or board;

●● reorganization;
●● major resource reallocation or cost-cutting programmes (most often
in response to external economic or internal financial crisis).

Misunderstanding 4: just a tool

There is a famous adage that ‘Essentially, all models are wrong, but some are
useful’ (Box, 1976). This excellent adage is true for risk maturity models as
well. Is a risk maturity model just a tool, in a pejorative sense? The answer
is both yes, and... no.
30 Risk Maturity Models

For the ‘yes’ case, no matter how well the risk maturity model is applied,
the risk and audit functions still need the right mix of people competencies
to apply their hand to the tool. People still remain the ERM drivers and
process the ‘hand-rail’ (meaning an inert guide of no use unless put to its
designed use by people). Any tool or technology will never make up for this.
For example, look at the demanding combination of qualities or competen-
cies that a risk director, chief risk officer (CRO) and risk function need to
have according to the Directors and Chief Risk Officers Group (DCRO) and
Governance Council (DCRO, 2013). They include multiple competencies
categorized under: risk management acumen, personal attributes, business
acumen, education, and experience. Tool-use does not at face value figure
prominently here.
For the ‘no’ case, a risk maturity model tool is a powerful enabler – if not
an ERM driver. This is not to say that a risk maturity or any model will
guarantee organization success – no single model will guarantee this.
C
O

However, it is a powerful tool to assess risk management system effective-

PY

ness. Look at the huge number of tools cited in ISO/IEC 31010:2009 (ISO,
N

R
O

IG

2009c). If the risk and management disciplines accept such a brilliant range
T

of tools just for the risk assessment process alone then there surely is no
FO

issue with adding a tool to road map a wider range of capabilities (including
R

M
AT
R

that risk assessment process). Practical risk managers and professionals

EP

ER

generally want what is useful and works today – perfection can wait for
R

tomorrow. Risk maturity models work.

IA
O

L
D

In Chapter 2 we start to see how such a powerful tool is useful by under-

U

standing the many benefits of using a risk maturity model.

C
TI
O
N

Summary
This background chapter clarifies the basic concepts and definitions behind
risk maturity models and how they are connected to the organization’s need
to assess risk management effectiveness. We trace how risk maturity models
have, since 1997, evolved away from their parent, the capability maturity
model and the SEI CMM. We learn how risk maturity models have expanded
to cover multiple risk-related capabilities other than just process. We clear up
some common misunderstandings regarding risk maturity models: being
treated equally, so-called ‘global best practice’, progression without regres-
sion or stasis states, and their status as a tool.